aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/wl12xx
diff options
context:
space:
mode:
authorIdo Yariv <ido@wizery.com>2010-09-22 03:53:13 -0400
committerJohn W. Linville <linville@tuxdriver.com>2010-09-27 15:57:38 -0400
commit67e0208acea29682f5766eb9f67f6f26117eef3e (patch)
tree39445bd52a7c310d5f70b94aa0c257fdd1a8669b /drivers/net/wireless/wl12xx
parent87fd2e6c90acb45a5741207fc953190596f93841 (diff)
wl1271: Fix overflow in wl1271_boot_upload_nvs
Due to miscalculation of nvs_len, excessive data was sent to the firmware. Fix this by first setting nvs_ptr to point to the first NVS table, and computing the total size of all NVS tables accordingly. Signed-off-by: Ido Yariv <ido@wizery.com> Tested-By: Tuomas Katila <ext-tuomas.2.katila@nokia.com> Acked-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/wl12xx')
-rw-r--r--drivers/net/wireless/wl12xx/wl1271_boot.c17
1 files changed, 6 insertions, 11 deletions
diff --git a/drivers/net/wireless/wl12xx/wl1271_boot.c b/drivers/net/wireless/wl12xx/wl1271_boot.c
index fc21db810812..e5a7f042645f 100644
--- a/drivers/net/wireless/wl12xx/wl1271_boot.c
+++ b/drivers/net/wireless/wl12xx/wl1271_boot.c
@@ -274,11 +274,11 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
274 274
275 /* 275 /*
276 * We've reached the first zero length, the first NVS table 276 * We've reached the first zero length, the first NVS table
277 * is 7 bytes further. 277 * is located at an aligned offset which is at least 7 bytes further.
278 */ 278 */
279 nvs_ptr += 7; 279 nvs_ptr = (u8 *)wl->nvs->nvs +
280 ALIGN(nvs_ptr - (u8 *)wl->nvs->nvs + 7, 4);
280 nvs_len -= nvs_ptr - (u8 *)wl->nvs->nvs; 281 nvs_len -= nvs_ptr - (u8 *)wl->nvs->nvs;
281 nvs_len = ALIGN(nvs_len, 4);
282 282
283 /* FIXME: The driver sets the partition here, but this is not needed, 283 /* FIXME: The driver sets the partition here, but this is not needed,
284 since it sets to the same one as currently in use */ 284 since it sets to the same one as currently in use */
@@ -286,14 +286,9 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
286 wl1271_set_partition(wl, &part_table[PART_WORK]); 286 wl1271_set_partition(wl, &part_table[PART_WORK]);
287 287
288 /* Copy the NVS tables to a new block to ensure alignment */ 288 /* Copy the NVS tables to a new block to ensure alignment */
289 /* FIXME: We jump 3 more bytes before uploading the NVS. It seems 289 nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL);
290 that our NVS files have three extra zeros here. I'm not sure whether 290 if (!nvs_aligned)
291 the problem is in our NVS generation or we should really jumpt these 291 return -ENOMEM;
292 3 bytes here */
293 nvs_ptr += 3;
294
295 nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); if
296 (!nvs_aligned) return -ENOMEM;
297 292
298 /* And finally we upload the NVS tables */ 293 /* And finally we upload the NVS tables */
299 /* FIXME: In wl1271, we upload everything at once. 294 /* FIXME: In wl1271, we upload everything at once.